Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

SuSE alert: tcpdump

tcpdump is a widespread network/packet analysis tool, also known as a packet sniffer, used in unix/unix-like environment. Several overflowable buffers have been found in SuSE's version of tcpdump that could allow a remote attacker to crash the local tcpdump process. Since tcpdump may be used in combination with intrusion detection systems, a crashed tcpdump process may disable the network monitoring system as a whole. The FreeBSD team who found these vulnerabilities also reported that tcpdump's portion of code that can decode AFS ACL (AFS=Andrew File System, a network filesystem, ACL=Access Control List) packets is vulnerable to a (remotely exploitable) buffer overrun attack that could allow a remote attacker to execute arbitrary commands as root since the tcpdump program usually requires root privileges to gain access to the raw network socket. The versions of tcpdump as shipped with SuSE distributions do not contain the AFS packet decoding capability and are therefore not vulnerable to this second form of attack.

tcpdump is a widespread network/packet analysis tool, also known as a
packet sniffer, used in unix/unix-like environment.
Several overflowable buffers have been found in SuSE's version of tcpdump
that could allow a remote attacker to crash the local tcpdump process.
Since tcpdump may be used in combination with intrusion detection
systems, a crashed tcpdump process may disable the network monitoring
system as a whole.
The FreeBSD team who found these vulnerabilities also reported that
tcpdump's portion of code that can decode AFS ACL (AFS=Andrew File
System, a network filesystem, ACL=Access Control List) packets is
vulnerable to a (remotely exploitable) buffer overrun attack that
could allow a remote attacker to execute arbitrary commands as root
since the tcpdump program usually requires root privileges to gain
access to the raw network socket.
The versions of tcpdump as shipped with SuSE distributions do not
contain the AFS packet decoding capability and are therefore not
vulnerable to this second form of attack.

A temporary workaround for the tcpdump problems other than not using
tcpdump in the first place does not exist. However, we provide update
packages for the affected SuSE distributions. We recommend an upgrade
using the packages that can be found using the URLs below.

Note: Please note that there is only one source rpm package but two
binary rpm packages. tcpdump*.rpm is the rpm for the tcpdump program,
and libpcapn*.rpm is the packet capture library that is required by
tcpdump at compile time. In order to remove the security vulnerability
in tcpdump, it is necessary to update the tcpdump rpm package only.
The libpcapn package with the static library is provided for
consistency and compatibility because it will be generated if the
binary packages are rebuilt from the source rpm.

To check if your system has the vulnerable package installed, use the
command `rpm -q <package name>´. If applicable, please choose the update
package(s) for your distribution from the URLs listed below and download
the necessary rpm files. Then, install the package using the command
`rpm -Uhv file.rpm´. rpm packages have an internal md5 checksum that
protects against file corruption. You can verify this checksum using
the command (independently from the md5 signatures below)
`rpm --checksig --nogpg file.rpm',
The md5 sums under each package are to prove the package authenticity,
independently from the md5 checksums in the rpm package format.

Clarification:
In my message (Subject: "SuSE: miscellaneous"), dated Wed, 15 Nov 2000,
concerning the paragraph about runtime linking problems in gs
(GhostScript) , I have stated that the problem will be fixed in future
versions of the SuSE distribution. This does not touch the fact that we
will of course provide fixes for the older distributions.

- pine

We're still working on the packages for the version 4.30 (stability
problems).

- ppp

The ppp "deny_incoming" problem as announced by FreeBSD Security
Advisory FreeBSD-SA-00:70.ppp-nat is FreeBSD specific and does not
affect the SuSE distribution.

- vixie cron

Michal Zalewski <lcamtuf@TPI.PL> reported security problems in
Paul Vixie's cron implementation that is commonly used in Linux
distributions. Due to correct permissions on the directory
/var/spool/cron, the SuSE cron package is not affected by the problem.

SuSE runs two security mailing lists to which any interested party may
subscribe:

suse-security@suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe@suse.com>.

suse-security-announce@suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.